diff --git a/roles/iiab-admin/tasks/admin-user.yml b/roles/iiab-admin/tasks/admin-user.yml index 2d1dd0c99..1f590f534 100644 --- a/roles/iiab-admin/tasks/admin-user.yml +++ b/roles/iiab-admin/tasks/admin-user.yml @@ -1,25 +1,26 @@ -- name: Create user {{ iiab_admin_user }} for Admin Console; set password from iiab_admin_pwd_hash if newly creating account +- name: Create user {{ iiab_admin_user }} in group sudo for Admin Console; set password from iiab_admin_pwd_hash if newly creating account user: - name: "{{ iiab_admin_user }}" + name: "{{ iiab_admin_user }}" # iiab-admin password: "{{ iiab_admin_pwd_hash }}" update_password: on_create shell: /bin/bash + groups: sudo -- name: Create a wheel group - group: - name: wheel - state: present +#- name: Create a wheel group +# group: +# name: wheel +# state: present -- name: Create a sudo group (redhat) - group: - name: sudo - state: present - when: is_redhat | bool +#- name: Create a sudo group (redhat) +# group: +# name: sudo +# state: present +# when: is_redhat | bool -- name: 'Add user {{ iiab_admin_user }} to groups: wheel, sudo' - user: - name: "{{ iiab_admin_user }}" - groups: wheel,sudo +#- name: 'Add user {{ iiab_admin_user }} to groups: wheel, sudo' +# user: +# name: "{{ iiab_admin_user }}" +# groups: wheel,sudo - name: Edit the sudoers file -- first make it editable file: @@ -33,10 +34,12 @@ dest: /etc/sudoers state: present -- name: Lets wheel sudo without password - lineinfile: - line: "%wheel ALL= NOPASSWD: ALL" - dest: /etc/sudoers +#- name: Lets {{ iiab_admin_user }} sudo without password +##- name: Lets wheel sudo without password +# lineinfile: +# line: "{{ iiab_admin_user }} ALL=(ALL) NOPASSWD: ALL" +## line: "%wheel ALL= NOPASSWD: ALL" +# dest: /etc/sudoers - name: Remove the line which requires tty lineinfile: diff --git a/roles/iiab-admin/tasks/main.yml b/roles/iiab-admin/tasks/main.yml index 8ccc64068..54275c7cf 100644 --- a/roles/iiab-admin/tasks/main.yml +++ b/roles/iiab-admin/tasks/main.yml @@ -3,20 +3,6 @@ - include_tasks: access.yml -- name: Add 'iiab-admin' variable values to {{ iiab_ini_file }} - ini_file: - dest: "{{ iiab_ini_file }}" - section: iiab-admin - option: "{{ item.option }}" - value: "{{ item.value | string }}" - with_items: - - option: name - value: iiab-admin - - option: description - value: '"Admin User"' - - option: iiab_admin_user - value: "{{ iiab_admin_user }}" - - name: Install /etc/profile.d/sshpwd-profile-iiab.sh from template, to issue warnings (during shell/ssh logins) if iiab-admin password is the default template: src: sshpwd-profile-iiab.sh @@ -61,3 +47,18 @@ path: "{{ iiab_state_file }}" # /etc/iiab/iiab_state.yml regexp: '^iiab_admin_installed' line: 'iiab_admin_installed: True' + + +- name: Add 'iiab-admin' variable values to {{ iiab_ini_file }} + ini_file: + dest: "{{ iiab_ini_file }}" # /etc/iiab/iiab.ini + section: iiab-admin + option: "{{ item.option }}" + value: "{{ item.value | string }}" + with_items: + - option: name + value: iiab-admin + - option: description + value: '"Admin User"' + - option: iiab_admin_user + value: "{{ iiab_admin_user }}" diff --git a/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh b/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh index ea17af847..ebc53eb99 100755 --- a/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh +++ b/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh @@ -1,12 +1,20 @@ #!/bin/bash -export TEXTDOMAIN=pprompt-iiab +# SEE ALSO: /etc/profile.d/sshpwd-profile-iiab.sh sourced from... +# https://github.com/iiab/iiab/blob/master/roles/iiab-admin/templates/sshpwd-profile-iiab.sh -. gettext.sh +# For Localization/Translation: (use /usr/bin/gettext below if later nec!) +#export TEXTDOMAIN=pprompt-iiab +#. gettext.sh +# https://github.com/raspberrypi-ui/pam/blob/master/etc/profile.d/sshpwd.sh +# https://github.com/raspberrypi-ui/pprompt/blob/master/sshpwd.sh # bash syntax "function check_user_pwd() {" was removed, as it prevented all # lightdm/graphical logins (incl autologin) on Raspbian: #1252 -> PR #1253 check_user_pwd() { + id -u $1 > /dev/null 2>&1 || return 2 # FORCE ERROR if no such user + # *BUT* overall bash script still returns exit code 0 ("success") + # $meth (hashing method) is typically '6' which implies 5000 rounds # of SHA-512 per /etc/login.defs -> /etc/pam.d/common-password meth=$(sudo grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f2) @@ -15,14 +23,10 @@ check_user_pwd() { [ $(python3 -c "import crypt; print(crypt.crypt('$2', '\$$meth\$$salt'))") == "\$$meth\$$salt\$$hash" ] } -# Credit to the folks at the Raspberry Pi Foundation -check_hash() { - if ! id -u iiab-admin > /dev/null 2>&1 ; then return 0 ; fi - if grep -q "^PasswordAuthentication\s*no" /etc/ssh/sshd_config ; then return 0 ; fi - if check_user_pwd "iiab-admin" "{{ iiab_admin_published_pwd }}"; then - zenity --warning --width=600 --text="SSH is enabled and the default password for user 'iiab-admin' is in use.\n\nTHIS IS A SECURITY RISK - please change its password using IIAB's Admin Console (http://box.lan/admin) -> Utilities -> Change Password.\n\nSee 'What are the default passwords?' at http://FAQ.IIAB.IO" - fi -} +#grep -q "^PasswordAuthentication\s\+no\b" /etc/ssh/sshd_config && return +#systemctl is-active {{ sshd_service }} || return -systemctl is-active {{ sshd_service }} > /dev/null && check_hash -unset check_hash +if check_user_pwd "{{ iiab_admin_user }}" "{{ iiab_admin_published_pwd }}" ; then # iiab-admin g0adm1n + zenity --warning --width=600 --text="Published password in use by user '{{ iiab_admin_user }}'.\n\nTHIS IS A SECURITY RISK - please change its password using IIAB's Admin Console (http://box.lan/admin) -> Utilities -> Change Password.\n\nSee 'What are the default passwords?' at http://FAQ.IIAB.IO" + #zenity --warning --width=600 --text="SSH is enabled and the published password is in use by user '{{ iiab_admin_user }}'.\n\nTHIS IS A SECURITY RISK - please change its password using IIAB's Admin Console (http://box.lan/admin) -> Utilities -> Change Password.\n\nSee 'What are the default passwords?' at http://FAQ.IIAB.IO" +fi diff --git a/roles/iiab-admin/templates/sshpwd-profile-iiab.sh b/roles/iiab-admin/templates/sshpwd-profile-iiab.sh index 9c4bd4964..d611b16d0 100755 --- a/roles/iiab-admin/templates/sshpwd-profile-iiab.sh +++ b/roles/iiab-admin/templates/sshpwd-profile-iiab.sh @@ -1,31 +1,51 @@ #!/bin/bash -export TEXTDOMAIN=Linux-PAM +# SEE ALSO: /etc/xdg/lxsession/LXDE-pi/sshpwd-lxde-iiab.sh sourced from... +# https://github.com/iiab/iiab/blob/master/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh +# ...invoked by /etc/xdg/lxsession/LXDE-pi/autostart which is customized by... +# https://github.com/iiab/iiab/blob/master/roles/iiab-admin/tasks/main.yml#L32-L36 -. gettext.sh +# For Localization/Translation: (use /usr/bin/gettext below if later nec!) +#export TEXTDOMAIN=Linux-PAM +#. gettext.sh +# https://github.com/raspberrypi-ui/pam/blob/master/etc/profile.d/sshpwd.sh +# https://github.com/raspberrypi-ui/pprompt/blob/master/sshpwd.sh # bash syntax "function check_user_pwd() {" was removed, as it prevented all # lightdm/graphical logins (incl autologin) on Raspbian: #1252 -> PR #1253 check_user_pwd() { + + id -u $1 > /dev/null 2>&1 || return 2 # FORCE ERROR if no such user + # *BUT* overall bash script still returns exit code 0 ("success") + # $meth (hashing method) is typically '6' which implies 5000 rounds # of SHA-512 per /etc/login.defs -> /etc/pam.d/common-password - meth=$(sudo grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f2) - salt=$(sudo grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f3) - hash=$(sudo grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f4) + meth=$(grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f2) + salt=$(grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f3) + hash=$(grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f4) [ $(python3 -c "import crypt; print(crypt.crypt('$2', '\$$meth\$$salt'))") == "\$$meth\$$salt\$$hash" ] } -# Credit to the folks at the Raspberry Pi Foundation -check_hash() { - if ! id -u iiab-admin > /dev/null 2>&1 ; then return 0 ; fi - if grep -q "^PasswordAuthentication\s*no" /etc/ssh/sshd_config ; then return 0 ; fi - if check_user_pwd "iiab-admin" "{{ iiab_admin_published_pwd }}"; then - echo - echo $(/usr/bin/gettext "SSH is enabled and the published password for user 'iiab-admin' is in use.") - echo $(/usr/bin/gettext "THIS IS A SECURITY RISK - please run 'sudo passwd iiab-admin' to change it.") - echo - fi -} +[ $(id -un) = "root" ] || return # MUST be executed as root! Non-root logins +# were blocking on above permissions to grep /etc/shadow. As it's unreasonable +# to provide sudo privs to every user (with "NOPASSWD:" password-free sudo +# access or not, as required by graphical logins!) iiab/iiab#2561 -systemctl is-active {{ sshd_service }} > /dev/null && check_hash -unset check_hash +# 2020-10-10 RECAP: most logins (graphical or tty) blocked on above [sudo] grep +# (at least tty logins finally let sudoers in, after entering password twice!) +# EXCEPTION: ALL GRAPHICAL logins to Raspberry Pi OS still worked, no matter +# whether sshpwd-lxde-iiab.sh's "sudo grep" displayed our popup warning or not! + +#[ $(id -un) = "{{ iiab_admin_user }}" ] || [ $(id -un) = "root" ] || return +# HISTORICAL: if password-free sudo access is truly nec, it can be set with +# "iiab-admin ALL=(ALL) NOPASSWD: ALL" in /etc/sudoers as seen in the older: +# https://github.com/iiab/iiab/blob/master/roles/iiab-admin/tasks/admin-user.yml +# BUT: popup warnings still don't appear on most OS's, much as mentioned here: +# https://github.com/iiab/iiab/blob/master/roles/iiab-admin/tasks/main.yml#L24-L30 + +if check_user_pwd "{{ iiab_admin_user }}" "{{ iiab_admin_published_pwd }}" ; then # iiab-admin g0adm1n + echo + echo "Published password in use by user '{{ iiab_admin_user }}'." + echo "THIS IS A SECURITY RISK - please run 'sudo passwd {{ iiab_admin_user }}' to change it." + echo +fi diff --git a/roles/phpmyadmin/defaults/main.yml b/roles/phpmyadmin/defaults/main.yml index fe5077f4f..90aa9e2ed 100644 --- a/roles/phpmyadmin/defaults/main.yml +++ b/roles/phpmyadmin/defaults/main.yml @@ -4,5 +4,5 @@ # All above are set in: github.com/iiab/iiab/blob/master/vars/default_vars.yml # If nec, change them by editing /etc/iiab/local_vars.yml prior to installing! -phpmyadmin_name: "phpMyAdmin-5.0.2-all-languages" +phpmyadmin_name: "phpMyAdmin-5.0.3-all-languages" # D/l from http://download.iiab.io/packages phpmyadmin_name_zip: "{{ phpmyadmin_name }}.zip" diff --git a/roles/phpmyadmin/tasks/install.yml b/roles/phpmyadmin/tasks/install.yml index 75813d414..eb52e30fe 100644 --- a/roles/phpmyadmin/tasks/install.yml +++ b/roles/phpmyadmin/tasks/install.yml @@ -10,14 +10,14 @@ - name: Download {{ iiab_download_url }}/{{ phpmyadmin_name_zip }} to {{ downloads_dir }} get_url: - url: "{{ iiab_download_url }}/{{ phpmyadmin_name_zip }}" + url: "{{ iiab_download_url }}/{{ phpmyadmin_name_zip }}" # e.g. http://download.iiab.io/packages/phpMyAdmin-5.0.3-all-languages.zip dest: "{{ downloads_dir }}" timeout: "{{ download_timeout }}" when: internet_available | bool -- name: Does {{ downloads_dir }}/{{ phpmyadmin_name_zip }} exist? # e.g. /opt/iiab/downloads/phpMyAdmin-5.0.2-all-languages.zip +- name: Does {{ downloads_dir }}/{{ phpmyadmin_name_zip }} exist? stat: - path: "{{ downloads_dir }}/{{ phpmyadmin_name_zip }}" + path: "{{ downloads_dir }}/{{ phpmyadmin_name_zip }}" # e.g. /opt/iiab/downloads/phpMyAdmin-5.0.3-all-languages.zip register: phpmyadmin_dl - name: FAIL (force Ansible to exit) IF /opt/iiab/downloads/{{ phpmyadmin_name_zip }} doesn't exist diff --git a/roles/sugarizer/defaults/main.yml b/roles/sugarizer/defaults/main.yml index caac1e4bb..9c9573037 100644 --- a/roles/sugarizer/defaults/main.yml +++ b/roles/sugarizer/defaults/main.yml @@ -13,7 +13,7 @@ sugarizer_dir_version: sugarizer-1.4.0 # WAS: sugarizer-1.0, sugarizer-master sugarizer_git_version: v1.4.0 # WAS: v1.0.1, master, v1.1.0, v1.2.0, v1.3.0 # PLEASE HELP MONITOR https://github.com/llaske/sugarizer/releases -sugarizer_server_dir_version: sugarizer-server-1.2.0 # WAS: sugarizer-server-1.0, sugarizer-server-master, sugarizer-server-dev, sugarizer-server-1.1.0, sugarizer-server-1.1.1 -sugarizer_server_git_version: v1.2.0 # WAS: v1.0.1, master, dev, f27bf6acd56aba6d99116ef471ca713b0f0dfed3, v1.1.0, v1.1.1 +sugarizer_server_dir_version: sugarizer-server-1.3.0 # WAS: sugarizer-server-1.0, sugarizer-server-master, sugarizer-server-dev, sugarizer-server-1.1.0, sugarizer-server-1.1.1, sugarizer-server-1.2.0 +sugarizer_server_git_version: v1.3.0 # WAS: v1.0.1, master, dev, f27bf6acd56aba6d99116ef471ca713b0f0dfed3, v1.1.0, v1.1.1, v1.2.0 # PLEASE HELP MONITOR https://github.com/llaske/sugarizer-server/commits/dev # AND https://github.com/llaske/sugarizer-server/releases diff --git a/roles/www_options/tasks/main.yml b/roles/www_options/tasks/main.yml index b33b5c92b..70df9f95c 100644 --- a/roles/www_options/tasks/main.yml +++ b/roles/www_options/tasks/main.yml @@ -86,7 +86,7 @@ template: src: 020_apache_poweroff.j2 dest: /etc/sudoers.d/020_apache_poweroff - mode: '0755' + mode: '0440' when: apache_allow_sudo | bool - name: Remove {{ apache_user }} (per variable apache_user) permission to poweroff, removing /etc/sudoers.d/020_apache_poweroff